You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Following on from Novicaite's questions, I now think that we are dealing with the TDSS/Tidserv/Alureon rootkit. Unfortunately, it's found a cosy place and doesn't want to shift. I would really appreciate help as it's starting to drive me crazy!

Right, I have new OTL and FRST logs for you guys. I think I managed to disrupt the virus's security mechanism, so these logs should give you more info.

my Name is Machiavelli and I will assist you with your problem.If you booted into safe mode on your computer then print my instructions!I'm in the 'Malware Staff Team' and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:

Removing Malware is usually very difficult.We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!

Please follow these instructionsIf you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!

Please stay in contact with me until your problem is resolvedAs Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.

Please don't run any other tools without consulting with me as this can complicate finding and removing all MalwareDon't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!

Read my post completelyIf you don't do so, you may make mistakes that could result in your System crashing by your own actions!

Error - 10/06/2014 16:32:30 | Computer Name = Desktop-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012Description = The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter valueis the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error - 10/06/2014 16:42:42 | Computer Name = Desktop-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012Description = The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter valueis the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error - 10/06/2014 16:47:27 | Computer Name = Desktop-PC | Source = Microsoft-Windows-LoadPerf | ID = 3012Description = The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter valueis the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

[ System Events ]Error - 10/06/2014 15:56:42 | Computer Name = Desktop-PC | Source = Ntfs | ID = 55Description = A corruption was discovered in the file system structure on volume D:. The exact nature of the corruption is unknown. The file system structures need to be scanned online.

Error - 10/06/2014 16:34:53 | Computer Name = Desktop-PC | Source = Ntfs | ID = 55Description = A corruption was discovered in the file system structure on volume D:. The exact nature of the corruption is unknown. The file system structures need to be scanned online.

Error - 10/06/2014 16:34:53 | Computer Name = Desktop-PC | Source = Ntfs | ID = 55Description = A corruption was discovered in the file system structure on volume D:. The exact nature of the corruption is unknown. The file system structures need to be scanned and fixed offline.

Error: (06/10/2014 02:12:11 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program iTunes64Setup.exe because of this error.

Program: iTunes64Setup.exe
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Before posting the FRST log, I just want to note something that may help you determine what we are dealing with. I knew that the virus was blocking MalwareBytes (and the 2 other programs in fact) from running, so I used MalwareBytes Chameleon.

Now, although Chameleon wasn't able to stop those processes/services that it felt was preventing an effective scan, I did manage to get a note of their names while it was working. The processes that it detected as malicious, and wanted to kill were:

Error: (06/10/2014 02:12:11 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program iTunes64Setup.exe because of this error.

Program: iTunes64Setup.exe
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

I didn't want to confuse matters by including it, But, it seems I've done just that by removing it. I would re-iterate that it's the only program to flag it as a PUP, so the only ocassion where I've taken this action.

I will proceed with your instructions from CKscanner, and post the log.

Please download the attached fixlist.txt file and save it to the same location as FRST

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not workNOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system​

Run FRST.exe/FRST64.exe and press the Fix button just once and wait

If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run

When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

Step 2: FRST Scan

Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)

Click Scan to start FRST.

When FRST finishes scanning, a log, FRST.txt, will open.

Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

When the download has finished please run the program (for Win Vista/ Win7 / Win 8 User please run it as Administrator)

Tick the box next to YES, I accept the Terms of Use then click on: Start

You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.

Make sure that the option Remove found threats is NOT checked.

Make sure that the option Scan archives is checked.

Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Then click on Start

virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed the Online Scan will begin automatically. The scan may take several hours.

Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

After the scan is finished please click on Finish

Use notepad to open the logfile located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt